Should I be worried about InvalidAuthenticityToken errors? I’m pretty
sure this isn’t someone trying to hack us, but I suspect may be some
config error on our part.

We have 2 servers, each with multiple mongrels and Apache load-balancing
between them.

On the same lines, should I expect an authenticity token to remain
constant for the life of a session? I’ve analyzed my logs and I am
/definitely/ seeing instances where it looks like the authenticity token
is changing within a session (infrequently, though).

When it does change, it seems to be okay, though–since the response to
the client has the new authenticity token, then the form submit has the
new one and everything is okay.

But I do have cases where the server rejects the authenticity token…
any ideas why might this be happening or what I can look at to try and